CVE-2024-3273:
A remote, unauthenticated command-injection vulnerability exists in the HTTP GET Request Handler nas_sharing.cgi of D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L devices, allowing arbitrary commands to be executed by manipulating the system argument (CWE-77); the flaw is rated high severity with a CVSS base score of 7.3 and affects firmware version 20240403 on the listed models.
Score
A numerical rating that indicates how dangerous this vulnerability is.
9.8Critical- Published Date:Apr 4, 2024
- CISA KEV Date:Apr 11, 2024
- Industries Affected:20
7 DaysThreat Predictions
- EPSS Score:94.4
- EPSS Percentile:100%
Exploitability
- Score:3.9
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
A remote, unauthenticated command-injection vulnerability exists in the HTTP GET Request Handler nas_sharing.cgi of D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L devices, allowing arbitrary commands to be executed by manipulating the system argument (CWE-77); the flaw is rated high severity with a CVSS base score of 7.3 and affects firmware version 20240403 on the listed models.
Overview
This CVE describes a critical remote command-injection vulnerability in the D-Link NAS devices DNS-320L, DNS-325, DNS-327L, and DNS-340L, located in the nas_sharing.cgi component's HTTP GET request handler. By manipulating the system argument, an attacker can inject and execute commands on the device without authentication, potentially compromising the device and related network resources. The flaw is associated with CWE-77 (Command Injection) and has a CVSS base score of 7.3 (HIGH) for both CVSS v3.0 and v3.1. The advisory notes that the affected firmware is 20240403 and that the products are end-of-life with no available patch from the vendor, increasing the risk profile. Public disclosure and available exploit information further elevate the urgency of mitigation, though remediation options are limited by the vendor’s discontinued support.
Remediation
- No vendor patch is available; these products are end-of-life. Primary remediation is to retire the affected devices and replace them with supported, security-patched hardware.
- If replacement is not immediately possible, apply network-side mitigations:
- Disable or tightly restrict remote management and HTTP access from untrusted networks; block access to the NAS web interface from the internet.
- Place the devices behind a firewall or VPN and segment them from critical networks; limit exposure to only trusted internal networks.
- Enforce strict access controls, monitor and log all administrative activity, and consider disabling unnecessary services on the device.
- Stay informed with vendor advisories and public risk notices and plan for timely migration to supported platforms when feasible.
References
- - [VDB-259284 | D-Link DNS-320L/DNS-325/DNS-327L/DNS-340L HTTP GET Request nas_sharing.cgi command injection](https://vuldb.com/?id.259284)
- - [VDB-259284 CTI Indicators (IOB, IOC, TTP, IOA)](https://vuldb.com/?ctiid.259284)
- - [Submit #304661 | D-LINK DNS-340L, DNS-320L, DNS-327L, DNS-325 Command Injection, Backdoor Account](https://vuldb.com/?submit.304661)
- - [GitHub netsecfish/dlink](https://github.com/netsecfish/dlink)
- - [SAP10383 | D-Link security advisory (support announcement)](https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383)
- - [CISA Known Exploited Vulnerabilities Catalog entry for CVE-2024-3273](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2024-3273)
Armis Early Warning
Armis Early Warning provides proactive threat intelligence and early detection capabilities.Click here to learn more.
- Armis Alert Date:Apr 9, 2024
- CISA KEV Date:Apr 11, 2024
- Days Early:7 Days
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
